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Amendments to the Claims; 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims 

Claim 1 (currently amended): A method of detecting an attack on an authentication 
service, said method comprising: 

storing data relating to a plurality of authentication requests communicated to an 
authentication service from a plurality of user agents via a data communication network, said 
requests each including a login identifier, a network address from which the request was 
communicated, and a password, and wherein storing the data relating to the requests comprises 
storing the login identifier and network address and storing the password of each of the requests 
in a database of the authentication service only if the request is unsuccessful; 

searching the stored data based on a query variable to identify a at least one of th e 
plurality of the requests communicated from at least one of the plurality of the user agents, 

comparing the stored data associated with the identified requests with a predefined 
pattern characterizing an attack based on the stored data password of the identified requests to 
determine when the identified requests indicate[[s]] the characterized attack on the authentication 
service; and 

detecting the attack in response to determining that the identified requests indicate[[s]] 
the characterized attack. 

Claim 2 (currently amended): The method of claim 1, wherein said storing the data 
relating to the plurality of the requests comprises storing one or more of the following: 

a network address from which one of the plurality of the requests is oommunicatod; a 
credential type of the one of the plurality of the requests; a user account associated with the one 
of the plurality of the requests; a status of the one of the plurality of the requests; a time stamp 
indicating a date and time of the one of the plurality of the requests; a type of interface from 
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which the one of the plurality of the requests is communicated; and the user agent from which 
the one of the plurality of the requests is communicated. 

Claim 3 (original): The method of claim 2, wherein said status of the one of the plurality 
of the requests comprises one of more of the following: the one of the plurality of the requests is 
successful; the one of the plurality of the requests is unsuccessftil; and the user account 
associated with the one of the plurality of the requests has been locked. 

Claim 4 (canceled). 

Claim 5 (original): The method of claim 1, wherein said comparing the stored data 
associated with each of the identified requests with the predefined pattern comprises comparing 
the stored data with a pattern characterized by one or more of the following: using a single 
password to unsuccessfully attempt at least a predetermined quantity of requests on multiple user 
accounts within a predefined time interval; using the single password to unsuccessfully attempt 
at least the predetermined quantity of the requests from a single network address on the multiple 
user accounts within the predefined time interval; and unsuccessfiiUy attempting at least the 
predetermined quantity of the requests from the single network address within the predefined 
time interval. 

Claim 6 (original): The method of claim 1, wherein said comparing the stored data 
associated with each of the identified requests with the predefined pattern comprises comparing 
the stored data with a pattern characterized by one or more of the following: using multiple 
passwords to unsuccessfiiUy attempt at least a predetermined quantity of requests on a single user 
account within a predefined time interval; using the multiple passwords to unsuccessfiiUy 
attempt at least the predetermined quantity of the requests from a single network address on the 
single user account within the predefined time interval; and unsuccessfiiUy attempting at least the 
predetermined quantity of the requests on the single user account within the predefined time 
interval. 



4 



MS#3073 12.01 (5104) 



Claim 7 (original): The method of claim 1 , wherein said comparing the stored data 
associated with each of the identified requests with the predefined pattern comprises comparing 
the stored data with a pattern characterized by one or more of the following: a single password to 
unsuccessfully attempt at least a predetermined quantity of requests from multiple network 
addresses on a single user account within a predefined time interval; and unsuccessfully 
attempting at least the predetermined quantity of the requests from the multiple network 
addresses on the single user account. 

Claim 8 (previously presented): The method of claim 1, further comprising generating a 
report in response to detecting the attack, said report providing information regarding the attack 
for use in defending against the attack. 

Claim 9 (previously presented): The method of claim 1, further comprising remedying 
the attack in response to detecting the attack. 

Claim 10 (original): The method of claim 1, wherein said remedying the attack 
comprises performing one or more of the following: locking a user account associated with one 
of the plurality of the requests; blocking a network address from which the one of the plurality of 
the requests is communicated; implementing a human interaction proof on the authentication 
service; prompting a user to change a password associated with the user account; and limiting a 
quantity of allowed unsuccessful requests to a predetermined quantity within a predefined time 
interval for the network address from which the one of the plurality of the requests is 
communicated. 

Claim 1 1 (original): The method of claim 1, wherein the plurality of the requests 
comprises one or more of the following types of requests: authentication, regisfration, and 
password-reset; wherein one of the plurality of the requests is communicated via a human 
interaction proof; and wherein said storing the data relating to the plurality of the requests 
comprises storing one or more of the following: a network address from which the one of the 
plurality of the requests is communicated, a process where the human interaction proof is 
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implemented, a time stamp indicating a date and time of the one of the plurality of the requests, 
and the user agent from which the one of the plurality of the requests is communicated. 

Claim 12 (original): The method of claim 11, wherein said comparing the stored data 
associated with each of the identified requests with the predefined pattern comprises comparing 
the stored data with a pattern characterized by one or more of the following: using multiple test 
strings to unsuccessfully attempt at least a predetermined quantity of requests on a single human 
interaction proof string within a predefined time interval; and using a single test string to 
unsuccessfully attempt at least the predetermined quantity of the requests on multiple human 
interaction proof strings within the predefined time interval. 

Claim 13 (original): The method of claim 1, wherein said comparing the stored data 
associated with each of the identified requests with a predefined pattern comprises: 

comparing historical data relating to the authentication service with the stored data, and 

in response to said comparing, determining if the stored data deviates fi-om the historical 
data to determine if the attack on the authentication service has occurred. 

Claim 14 (currently amended): The method of claim 1, wherein said searching the stored 
data to identify at least ono of tho a plurality of the requests comprises searching the stored data 
to generate a result set based on one or more of the following query variables: a network address 
that communicates a request, a quantity of user accounts for which access has been attempted, a 
password associated with a failed request, a quantity of failed requests for one or more user 
accounts, a quantity of requests for one or more user accounts, and a time interval during which 
one or more requests are communicated; wherein the result set identifies the stored data relating 
to one or more requests that correspond to the query variables. 

Claim 15 (previously presented): The method of claim 1, wherein one or more computer- 
readable storage media have computer-executable instructions for performing the method recited 
in claim 1. 
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Claim 16 (currently amended): A system of detecting an attack on an authentication 
service, said system comprising: 

a first memory area to store data relating to a plurality of authentication requests 
communicated to an authentication service from a plurality of user agents via a data 
communication network, said data being stored in the first memory area as a log of the 
authentication service, wherein each of the requests communicated to the authentication service 
includes a login identifier, a network address from which the request was communicated, and a 
password and wherein the stored data contains the login identifier and the network address and 
contains the password of each of the requests only if the request is unsuccessful, and wherein 
said first memory area is a database of the authentication service; 

a second memory area to store a predefined pattern of a plurality of on e or mor e requests, 
said predefined pattern characterizing an attack on the authentication service; and 

a processor configured to execute computer-executable instructions to: 

search the stored data as a function of a query variable to identify a at least ono of tho 
plurality of the requests communicated from at least one of the plurality of the user agents, 

compare the stored data associated with each of the identified requests with the 
predefined pattem, 

determine whether the identified requests indicate[[s]] the attack characterized by the 
predefined pattem, and 

detect the attack in response to determining that the identified requests indicate[[s]] the 
attack characterized by the predefined pattem. 

Claim 17 (currently amended): The system of claim 16, wherein the stored data 
comprises one or more of the following: a n e twork addr e ss from which on e of th e plurality of th e 
r e qu e sts is communicat e d; a credential type of the one of the plurality of the requests; a user 
account associated with the one of the plurality of the requests; a failed password associated with 
the one of the plurality of the requests; a status of the one of the plurality of the requests; a time 
stamp indicating a date and time of the one of the plurality of the requests; a type of interface 
from which the one of the plurality of the requests is communicated; and the user agent from 
which the one of the plurality of the requests is communicated. 
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Claim 18 (original): The system of claim 16, wherein said predefined pattern is 
characterized by one or more of the following: using a single password to unsuccessfully attempt 
a quantity of requests on multiple user accounts within a predefined time interval; using the 
single password to unsuccessfully attempt the quantity of the requests from a single network 
address on the multiple user accounts within the predefined time interval; and unsuccessfully 
attempting the quantity of the requests from the single network address within the predefined 
time interval. 

Claim 19 (original): The system of claim 16, wherein said predefined pattern is 
characterized by one or more of the following: using multiple passwords to unsuccessfully 
attempt a quantity of requests on a single user account within a predefined time interval; using 
the multiple passwords to unsuccessfully attempt the quantity of the requests from a single 
network address on the single user account within the predefined time interval; unsuccessfully 
attempting the quantity of the requests on the single user account within the predefined time 
interval; using a single password to unsuccessfully attempt a quantity of requests from multiple 
network addresses on a single user account within a predefined time interval; and using the 
multiple network addresses to unsuccessfully attempt the quantity of the requests on the single 
user account. 

Claim 20 (currently amended): The system of claim 16, wherein the processor is 
configured to search the stored data to identify at l e ast on e of th e a plurality of the requests by 
generating a result set based on one or more of the following query variables: a network address 
that communicates a request, a quantity of user accounts for which access has been attempted, a 
password associated with a failed request, a quantity of failed requests for one or more user 
accounts, a quantity of requests for one or more user accounts, and a time interval during which 
one or more requests are communicated; wherein the result set identifies the stored data relating 
to one or more requests that correspond to the query variables. 

Claim 21 (previously presented): The system of claim 16, wherein the processor is 
further configured to generate a report in response to detecting the attack, said report providing 
information regarding the characterized attack for use in defending against the attack. 
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Claim 22 (previously presented): The system of claim 16, wherein the processor is 
further configured to remedy the characterized attack in response to detecting the attack. 

Claim 23 (original): The system of claim 16, wherein the plurality of the requests 
comprises one or more of the following types of requests: authentication, registration, and 
password-reset; wherein one of the plurality of the requests is communicated via a human 

interaction proof; and wherein the stored data comprises one or more of the following: a network 
address from which the one of the plurality of the requests is communicated, a process where the 
human interaction proof is implemented, a time stamp indicating a date and time of the one of 
the plurality of the requests, and the user agent from which the one of the plurality of the 
requests is communicated. 

Claim 24 (original): The system of claim 23, wherein said predefined pattern is 
characterized by one or more of the following: using multiple test strings to unsuccessfully 
attempt a quantity of requests on a single human interaction proof string within a predefined time 
interval; and using a single test string to attempt unsuccessfiiUy the quantity of the requests on 
multiple human interaction proof strings within the predefined time interval. 

Claim 25 (canceled). 

Claim 26 (currently amended): A user authentication system, said system receiving a 
plurality of authentication requests communicated from a plurality of user agents, each of said 
requests including a login identifier, a network address from which the request was 
communicated, and a password associated therewith, said system comprising: 

a first memory area to store data relating to a plurality of unsuccessfiil requests 
communicated from the plurality of user agents, wherein the stored data includes the login 
identifier and the network address and includes the password of each of the unsuccessfiil requests 
communicated from the plurality of user agents and does not include the password of any 
successful requests, wherein the first memory area is a database of the user authentication 
service; 
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a second memory area to store a predefined pattern of one or more a plurality of requests, 

said predefined pattern characterizing an attack based on the password stored data of each of the 

one or mor e plurality of requests; and 

a processor configured to execute computer-executable instructions to: 

search the stored data based on a query variable to generate a result set that identifies at 

least one of the a plurality of the requests communicated from at least one of the plurality of the 

user agents, 

compare each of the identified requests with the predefined pattern to determine if the 
characterized attack has occurred, and 

detect the attack in response to determining that the characterized attack has occiirred. 

Claim 27 (currently amended): The system of claim 26, wherein the stored data 
comprises one or more of the following: a network address from which one of the plurality of the 
requests is communicated; a credential type of the one of the plurality of the requests; a user 
account associated with the one of the plurality of the requests; a failed password associated with 
the one of the plurality of the requests; a status of the one of the plurality of the requests; a time 
stamp indicating a date and time of the one of the plurality of the requests; a type of interface 
from which the one of the plurality of the requests is communicated; and a user agent from 
which the one of the pliirality of the requests is communicated. 

Claim 28 (original): The system of claim 26, wherein said predefined pattern is 
characterized by one or more of the following: using a single password to unsuccessfijlly attempt 
at least a predetermined quantity of requests on multiple user accounts within a predefined time 
interval; using the single password to unsuccessfully attempt at least the predetermined quantity 
of the requests from a single network address on the multiple user accounts within the predefined 
time interval; and unsuccessfiiUy attempting at least the predetermined quantity of the requests 
from the single network address within the predefined time interval. 

Claim 29 (previously presented): The system of claim 26, wherein the processor is 
further configured to generate a report in response to detecting the attack, said report providing 
information regarding the characterized attack for use in defending against the attack. 
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Claim 30 (original): The system of claim 26, wherein the processor is further configured 
to remedy the characterized attack if the characterized attack is determined to have occurred. 

Claim 3 1 (original): The system of claim 26, wherein the plurality of the requests 
comprises one or more of the following types of requests: authentication, registration, and 
password-reset; wherein one of the plurality of the requests is communicated via a human 
interaction proof; and wherein said predefined pattern is characterized by one or more of the 
following: using multiple test strings to unsuccessfully attempt at least a predetermined quantity 
of requests on a single human interaction proof string within a predefined time interval, and 
using a single test string to unsuccessfully attempt at least the predetermined quantity of the 
requests on multiple human interaction proof strings within the predefined time interval. 

Claim 32 (original): The system of claim 26, further comprising means for determining 
if the stored data associated with one or more of the plurality of the requests matches the 
predefined pattern. 

Claim 33 (currently amended): One or more computer-readable storage media having 
computer-executable components for detecting an attack on an authentication service, said 
authentication service receiving a plurality of authentication requests communicated from a 
plurality of user agents via a data communication network, each of said requests including a 
login identifier, a network address from which the request was communicated, and a password 
associated therewith, said computer-readable media comprising: 

a memory component to store data relating to a plurality of unsuccessful requests 
communicated to the authentication service from the plurality of user agents, wherein the stored 
data includes the login identifier and the network address, and includes the password of each of 
the unsuccessful requests communicated to the authentication service and does not include the 
password of any successful requests, wherein said memory component comprises a database of 
the authentication service. 
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a query component to search the stored data as a function of a query variable to identify 
at least one of tho a plurality of the requests communicated from at least one of the plurality of 
the user agents, and 

an analyzing component to compare the stored data associated with each of the identified 
requests with a predefined pattern characterizing an attack based on the password stored data of 
each of the identified requests to determine when the identified request indicates the 
characterized attack on the authentication service and to detect the attack on the authentication 
service in response to determining that the identified request indicates the characterized attack. 

Claim 34 (currently amended): The computer-readable storage media of claim 33, 
wherein the stored data comprises one or more of the following information: a n e twork addr e ss 
from which on e of th e plurality of th e r e qu e sts is communicat e d; a credential type of the one of 
the plurality of the requests; a user account associated with the one of the plurality of the 
requests; a failed password associated with the one of the plurality of the requests; a status of the 
one of the plurality of the requests; a time stamp indicating a date and time of the one of the 
plurality of the requests; a type of interface from which the one of the plurality of the requests is 
communicated; and the user agent from which the one of the plurality of the requests is 
communicated. 

Claim 35 (previously presented): The computer-readable storage media of claim 33, 
wherein said predefined pattern is characterized by one or more of the following: using a single 
password to unsuccessfully attempt a quantity of requests on multiple user accounts within a 
predefined time interval; using the single password to unsuccessfully attempt the quantity of the 
requests from a single network address on the multiple user accounts within the predefined time 
interval; and unsuccessfully attempting the quantity of the requests from the single network 
address within the predefined time interval. 

Claim 36 (previously presented): The computer-readable storage media of claim 33, 
further comprising a report component to generate a report in response to detecting the attack, 
said report providing information regarding the attack for use in defending against the attack. 
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Claim 37 (previously presented): The computer-readable storage media of claim 33, 
further comprising a defense component to remedy the characterized attack in response to 
detecting the attack. 

Claim 38 (previously presented): The computer-readable storage media of claim 37, 
wherein said defense component is adapted to remedy the characterized attack by performing 
one or more of the following in response to detecting the attack: locking a user account 
associated with one of the plurality of the requests; blocking a network address from which the 
one of the plurality of the requests is communicated; implementing a human interaction proof on 
the authentication service; prompting a user to change a password associated with the user 
account; and limiting a quantity of allowed unsuccessful requests to a predetermined quantity 
within a predefined time interval for the network address from which the one of the plurality of 
the requests is communicated. 

Claim 39 (previously presented): The computer-readable storage media of claim 33, 
wherein the plurality of the requests comprises one or more of the following types of requests: 
authentication, regisfration, and password-reset; wherein one of the plurality of the requests is 
communicated via a human interaction proof; and wherein said predefined pattem is 
characterized by one or more of the following: using multiple test strings to unsuccessfiilly 
attempt a quantity of requests on a single human interaction proof sfring within a predefined time 
interval, and using a single test string to unsuccessfiilly attempt the quantity of the requests on 
multiple human interaction proof strings within the predefined time interval. 

Claim 40 (currently amended): The computer-readable storage media of claim 33, 
wherein the query component is adapted to search the stored data to identify at l e ast on e of th e a 
plurality of the requests by generating a result set based on one or more of the following query 
variables: a network address that communicates a request, a quantity of user accounts for which 
access has been attempted, a password associated with a failed request, a quantity of failed 
requests for one or more user accounts, a quantity of requests for one or more user accounts, and 
a time interval during which one or more requests are communicated; and wherein the result set 
identifies the stored data relating to one or more requests that match the query variables. 
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